Guest Column | July 18, 2019

Protecting Your Identity And Purchase From Common Retail Cyber Scams

By Ruston Miles, Bluefin

cyber security

Mobile phones, tablets and desktop computers — with so many ways to shop online, it’s no surprise that over $2.3 trillion dollars were spent in online stores in 2017. And that staggering number is only expected to grow. In fact, online retail sales are projected to reach $4.5 trillion by 2021. But retailers aren’t the only ones seeing dollar signs — hackers are too.

Online fraud grew twice as fast as online sales in 2017, which means it’s more important than ever to protect your wallet and identity. Below are five ways that cyber scammers are exploiting online shoppers — and tips to protect your identity and your purchase.

AI-Powered Phishing

Phishing is one of the most tried and true fraud techniques in a hacker’s toolbox. And thanks to new developments in AI, this common cyber scheme is getting a major update.

In an interview with Forbes, Brian Hussey of Trustwave SpiderLabs explained that recent updates to exploit kits make it easier than ever to go phishing. Updates in natural language and AI capabilities enable cyber criminals to automate the creation of highly convincing, unique phishing messages. All the hacker needs to do is upload a single file to email millions of potential victims. What’s worse, these emails can be sent under the guise of a familiar retailer.

How can you avoid a highly sophisticated phishing attack? First, always check the “from” address of the sender to ensure that it checks out. Be wary of unsolicited emails from individuals or brands, especially if they contain links that could lead to malware or false log-in pages designed to steal sensitive information.

URL Squatting

Just like squatters who take up residence in empty buildings, cyber criminals “squat” in available URLs. These fake URLs are deceptively similar to real, trustworthy organizations. “Combosquatting” is a common scam that uses counterfeit URLs with additional elements to the web address. For example,,, or

Cyber squatters also take advantage of common spelling errors. In “typosquatting,” hackers use misspelled domains like or to lead unsuspecting users to fake websites, then trick them into downloading malware or entering valuable information.

Cyber criminals often send fake URLs through via email as phishing scams. The best way to avoid becoming their next victim is to never open or follow links in unsolicited emails.

You should also check your URL bar in your browser for the padlock icon. When this icon is “locked,” it means the website is legitimate and encrypted, and your information is secure. Well … usually.


Most of the time, the padlock icon in your browser bar means your information is safe. But not always.

When a hacker compromises the checkout page of a legitimate e-commerce website, this is called formjacking. In formjacking, the cybercriminal breaches a retailer via its back-end platform or supply chain. They then hide a malicious script on the checkout page. When the consumer types in their credit card information, the script immediately collects it and sends it to the cyber thief.

Unfortunately for consumers, there’s no way to tell if a website is being formjacked. And while small and midsized retailers seem to be the most common targets, the recent formjacking of British Airways and Ticketmaster prove no website is truly safe. In the end, it’s up to retailers to keep their customers safe with up-to-date cybersecurity measures.

Malicious Chatbots

AI is rapidly changing the way we live — for better and for worse. As retailers discover more ways to improve consumer experience with AI, cyber criminals are finding more ways to exploit artificial intelligence — including chatbots.

Unfortunately, customer service chatbots are just as useful for consumers as they are for hackers. They contain large pools of useful information for cyberthieves, as evidenced by the breaches of Delta and Sears. Chatbots also present an opportunity to hijack a company’s AI. According to Corey Nachreiner of WatchGuard Technologies, hackers could use flaws in legitimate retailers to set up rogue chatbots on websites that don’t even have a chat function.

The best way to protect yourself against a potentially malicious chatbot? Keep an eye out for typos or spammy language, and don’t click any funny-looking links sent to you by a bot. If something feels off, just pick up the phone and call customer service instead.  

Fake Apps

Just because an app is in the Google Play or App Store doesn’t mean it’s safe. Fake apps are a relatively new cyber scam, and unless you know what to look for, they can be difficult even for a savvy mobile user to spot.

Oftentimes, these fake apps mimic a well-known company down to the logo and developer name. Once downloaded, these counterfeit apps can collect information such as email addresses, passwords and credit card information. One 2018 study found that for the 10 most-trafficked retail websites on Black Friday, there were at least 17 counterfeit apps posing as the real thing.

To avoid fake apps, stay away from third-party app stores. And even while using your provider’s app store, make sure to look closely at the logo and developer name. App impostors often use the same technique as URL squatters to mimic a popular app. That is, they use the company name with a slight variation (Waze Inc.* or Waze Inc.^).

Protecting Customers From Cyber Fraud

Cyber scams aren’t just costly for shoppers. E-commerce retailers stand to lose the trust of their customers, as well as 8 percent of their revenue each year to credit card fraud.

Bluefin’s advanced technology uses P2PE and tokenization services  to ensure that customers’ credit card data never traverses your system. To protect your customers and your organization from cyber theft, contact a Bluefin representative today.

About The Author

Ruston Miles has over 15 years of experience in payment processing, specializing in developing secure payment gateway technologies. As Chief Strategy Officer and Founder of Bluefin, Ruston serves as the company’s payment technology evangelist, speaking all over North America on payment trends and technologies, educating the business world on the highest levels of payment security. Ruston is a PCI Professional (PCIP), Certified Payment Professional (CPP), Certified Internet Business Strategist (CIBS), and an active participant with the PCI Security Standards Council.